2012年12月25日 星期二

Golden Shield Wargame 1 Writeup

In the first problem, a picture is given and ask you to decode it.
It's trivial to rotate 45 degree and remove useless part.Then we can observe that this QR code has opposite color, so we can change the colors. I write a small python program use PIL to rote picture.
import PIL
im = Image.open("QR1.jpg")
new_im = im.rotate(45)
new_im.save("QR2.jpg')


Use online QR code decoder, we can decode that
"恭喜您,解開了QRcode。請到 http://www.multiupload.nl/25BD9YIRO0,下載Golden Shield.apk,KEY就在裡面。"
Then we can goto website download the apk file.
After download the file, we use dex2jar convert the hex file to jar. Then we can use java decompiler to decompile the class file in jar back to java code.

The decompile result
 Then the string "@@@@您累了嗎? 來聽首歌好嗎?@@@@@" is the key.

Golden Shield Wargame 2 Writeup


This problem is "I am a bot. My boss give me a key!" and a file 100.bin is given.
Although file command analysis this file as data, we can conclude this file is a pcap file by hex editor. So we can open this file by Wire Shark. After checking some packets, I find out some packet has use "PRIVMSG" command, which is IRC command. Therefor I follow TCP stream of those packet, and it is potential botnet traffic we need to analysis.
And observe this traffic, we can find a get command to 118.168.56.240
We first try to connect 118.168.56.240 directly, but it's fails. So we turn to find the traffic to 118.168.56.240 by wireshark. After selecting those packet and following TCP stream, we find the key in packet.
  

2012年12月23日 星期日

Malware Detection System Based on SplitScreen

This is a simple project implemented by python. With the power of SplitScreen approach proposed in usenix security, this system can detect if a file is belong to black list. To handle explosion of malware signature, match the signature one by one is not enough and more efficient approach to identify known malware. SplitScreen employs Bloom Filter Algorithms for signature management, distribution and  detection.

Bloom Filter

Data Structure and Algorithms

Bloom Filter composed by  an n bits bit-vector which initialized all bits to 0 and k different hash functions. Bloom Filter support two operation, add and query. Add operation is used to add new element in to Bloom Filter. Add operation first compute k hash functions of the element and then set correspond bit 1.
In the same way, query operation compute k hash functions of the element and then check if correspond bit is set. If all the correspond bits is set to 1, then we can claim the membership of this element. If one of the correspond bits is clear, this element is not belong to the set.
  

Time and Space Complexity

The time to add and query both have time complexity O(k) , where k is the constant we can set. So we can estimate the two operations complete in constant time. And Bloom Filter is also space-saving because it take only n bits to store Bloom Filter.

Split Screen

Architecture

Split Screen has three components : Malware Database, Server and Client Agent.
Fig 1 System Architecture
Malware Signature Database is used to store all malware sample, in my case the samples is come from vxheaven.  And Server is aim to maintain BloomFilter structure and update new Bloom Filter to Client Agent.
        

System Flow

In my system , server will check malware database for newly update malware and add new malware to Bloom Filter. Then send a command to client for updating BloomFilter.

Implementation

In my implementation, source code structure is as below:
[server]
FFBFServer.py
[client]
FFBFCli.py
client.py
[common]
BF_Operation.py
FeedForwardBloomFilter.py
DirectoryList.pyHash.py

First we look into Hash.py, Although Bloom Filter need k different hash , in practice we can use linear combination of two hash functions instead. So Hash.py only compute two hash value about a file. 
With Hash.py's help, FeedForwardBloomFilter.py implement add and query operation.
class FFBloomFilter(object):
    def add(self,fname):
        self.hashClass.hash(fname)
        val1 = int(self.hashClass.getHash(),16)
        val2 = int(self.hashClass.getHash2(),16)
        hashValue =val1%self.size
        for _ in range(self.hashNum):
            self.bf1[hashValue]+=1
            hashValue+=val2%self.size
            hashValue%=self.size
            
    def query(self,fname):
        self.hashClass.hash(fname)
        val1 = int(self.hashClass.getHash(),16)
        val2 = int(self.hashClass.getHash2(),16)
        hashValue =val1%self.size
        for _ in range(self.hashNum):
            if self.bf1[hashValue]==0 :
                return False
            hashValue+=val2%self.size
            hashValue%=self.size
            
        hashValue =val1%self.size
        for _ in range(self.hashNum):
            self.bf2[hashValue]+=1
            hashValue+=val2%self.size
            hashValue%=self.size
        return True

BF_Operation.py implement algorithms in SplitScreen as Fig 2
Fig 2 SplitScreen Architecture
class BF_Operation(object):
    def __init__(self):
        self.hashNum = 10
        self.bitSize = 1024*1024
    
    def FFBF_INIT(self,path,outBF):
        ffbf =  FeedForwardBloomFilter.FFBloomFilter(self.bitSize,self.hashNum)
        Dir = DirectoryList.DirList()
        Dir.ListAdd(path,ffbf)
        ffbf.serialize(outBF)
    
    def FFBF_SCAN(self,path,inBF,outBF):
        ffbf =  FeedForwardBloomFilter.FFBloomFilter(self.bitSize,self.hashNum)
        ffbf.parsing(inBF)
        Dir = DirectoryList.DirList()
        ffbf.clear()
        matchdata = []
    
        Dir.ListCheck(path,ffbf,matchdata)
        ffbf.serialize(outBF)
        return matchdata
Where ListAdd() and ListCheck() treat a path of directory as input and add(check) all files in directory. In the paper, there are two more algorithms, FFBF_HIT() and FFBF_verify(), which are not needed while we only need to test membership of files.

2012年10月11日 星期四

Ether System Call Trace and Instruction Trace

Ether Introduction
Ether is proposed in CCS'08, which is the first malware analysis system based on Harware Virtualization Extension.

In traditional analysis , software emulation is widely employed. With the help of binary translation, instrumentation can be achieve easily. However some malware employ technique like anti-debugging, anti-instrumentation, and anti-VM to avoid analysis. Due to software emulation nature, all the instruction must be translate and expose more emulation bugs. Moreover , software emulation locate translator in the same system level with target system which approach is more easier to detect.

Ether has following functions

  1. Instruction Trace
  2. System Call Trace
  3. Memory Write Detection
  4. Unpack Detection
This article will analysis source code of instruction trace and system call trace. Memory write detection and unpack detection will leave in future discussion. 

Instruction Trace

There are two steps to implement instruction trace, setting trap flag and debug trap handler. Setting trap flag is used to enable debug trap in every instruction. Then after each trap , debug trap handler will be triggered and send instruction to user space.Approach here is similar to Hyperdbg, which was presented in ASE'10.

Setting Trap Flag

Ether set trap flag by function vmx_properly_set_trap_flag in "xen/arch/x86/hvm/vmx/vmcs.c".

  1. GUEST_INTERRUPTIBILITY_INFO
    Clear Bit 3 in GUEST_INTERRUPTIBILITY_INFO register to forbiden pending NMI interrupt.
    unsigned long int_state =
      __vmread(GUEST_INTERRUPTIBILITY_INFO);
      if((int_state & 3) )
      {
       int_state &= ~(3);
       __vmwrite(GUEST_INTERRUPTIBILITY_INFO, int_state);
      }
    
  2. EXCEPTION_BITMAP
    unsigned long intercepts = __vmread(EXCEPTION_BITMAP);
      unsigned long mask = (1UL << TRAP_debug);
      /* make sure the exception bitmap says to vmexit on 
       * debug exceptions
       */
      intercepts |= mask;
      __vmwrite(EXCEPTION_BITMAP, intercepts);
    
  3. GUEST_RFLAGS
    unsigned long flags = __vmread(GUEST_RFLAGS);
      unsigned long flags_mask = (X86_EFLAGS_TF);
      __vmwrite(GUEST_RFLAGS, flags);
      vmx_set_pending_exceptions(v);
    
This operation will be taken before VM-ENTER and after each VM-EXIT handler. In vmx_do_resume(), VMM execute  reset_stack_and_jump() and go back to Guest OS. Therefor it is suitable to place vmx_properly_set_trap_flag() before reset_stack_and_jump().

Debug Trap Handler  

Once trap flag is properly set, every instruction will cause a VM-exit trap. Then control will transfer to  VMM. To record every trap, we must modify vmx_vmexit_handler function in "xen/arch/x86/hvm/vmx/vmx.c". In case EXIT_REASON_EXCEPTION_NMI of exit_reason switch, if exception vector is TRAP_debug then we can record this instruction.

System Call Trace

Enforce sysenter to trap

When Ether initialize, Ether will execute ether_initialize() (in xen/arch/x86/hvm/ether.c) and set forced_sysenter_cs, forced_sysenter_eip to 0.
d->arch.hvm_domain.ether_controls.forced_sysenter_cs = 0;
d->arch.hvm_domain.ether_controls.forced_sysenter_eip = 0;
Once we need to record system call, XEN_DOMCTL_ETHER_SET_SYSENTER event will be trigger in arch_do_domctl function(xen/common/domctl.c).
case XEN_DOMCTL_ETHER_SET_SYSENTER:
    if(op->u.ether.sysenter_eip)
    {
 /* operation = set msrs and force their values
  */
        /*Set forced_sysenter_cs to op->u.ether.sysenter_cs*/
 ether_set_sysenter_cs(d, 
  op->u.ether.sysenter_cs);
        /*Set forced_sysenter_eip to op->u.ether.sysenter_eip */
 ether_set_sysenter_eip(d, 
  op->u.ether.sysenter_eip);
        /*Set should_force_sysenter_msr to 1*/
 ether_force_sysenter_msrs(d, 1);       
    }
After those operations, vmx_set_sysenter_msrs() will be called by vmx_properly_set_trap_flag().
inline static void vmx_set_sysenter_msrs(struct domain *d)
{
 u64 new_cs;
 u64 new_eip;
 /* write MSR registers */

 /* default to writing old(imaginary) values to guest */
 new_cs = ether_get_imaginary_sysenter_cs(d);
 new_eip = ether_get_imaginary_sysenter_eip(d);

 if(ether_should_force_sysenter_msr(d))
 {
  /* it seems that we should write user supplied
   * values instead
   */
  u64 forced_cs;
  u64 forced_eip;
  /* writing user supplied forced values to guest */
                /* Get forced_sysenter_cs and forced_sysenter_eip*/
  forced_cs = ether_get_sysenter_cs(d);
  forced_eip = ether_get_sysenter_eip(d);

  if(forced_cs)
   new_cs = forced_cs;

  if(forced_eip)
   new_eip = forced_eip;

 }
        /*Update guest OS MSR*/
 vmx_write_sysenter_msr(GUEST_SYSENTER_CS, new_cs);
 vmx_write_sysenter_msr(GUEST_SYSENTER_EIP, new_eip);
}

Upon vmx_set_sysenter_msrs executes, guest OS will be forced to trap when system call occurs.Then we can get the system call information in VM-Exit handler.

Handle trap due to sysenter

When VM-exit is triggered, vmx_handle_debug_exception() will execute inside vmx_vmexit_handler().(in xen/arch/x86/hvm/vmx/vmx.c)
asmlinkage void vmx_handle_debug_exception(struct vcpu *v, 
  struct cpu_user_regs *regs)
{
 /*
  * things to do
  * 1) grab instruction we trapped at
  *  a) get instruction length (possibly via decode?)
  *  b) grab instruction from memory
  * 2) reset flag for setting trap flag on next instruction
  * 3) call userspace handler for instruction step
  */

 if(ether_get_stepping_type(v->domain) != ETHER_BP_AUTO_STEP)
 {
  ether_handle_instruction(v, regs);
 }
 else
 {
  /* check saved gva == current RIP */
  unsigned long rip = __vmread(GUEST_RIP);
  unsigned long cr3 = hvm_get_guest_ctrl_reg(v, 3);
  unsigned long thread_id = ether_get_windows_tid(__vmread(GUEST_FS_BASE));
  int match_type; 

  match_type = ether_bp_in_list(v, rip, cr3, thread_id);

  if(match_type == ETHER_BP_FULL_MATCH)
  {
   struct ether_bp_list *removed_item;
   /* disable_stepping takes care of changing
    * the stepping type as well
    */
   ether_disable_stepping(v->domain);
   removed_item = ether_bp_get_and_remove(v, rip, cr3, 
     thread_id);

   if(removed_item != NULL)
   {
    ether_handle_syscall_return(v, removed_item->call_number, regs);
    xfree(removed_item);
   }

   
  }
  else if(match_type == ETHER_BP_GFN_MATCH)
  {
   unsigned char two_byte[2];
   two_byte[0] = two_byte[1] = 0;

   hvm_copy_from_guest_virt(&two_byte, rip, 2);
   /* about to hit an INT instruction */
   if(two_byte[0] == 0xCD)
   {
    unsigned long bp_location = 0;

    bp_location = 
     ether_read_idt_entry(two_byte[1]);

    if(bp_location != 0)
    {
     /* ignore ESP and call# in breakpoint
      */
     if(0 < ether_bp_create(v, bp_location, cr3, 0, 0, 1))
     {
      /*printk("ETHER_BP: set bp for INT handler: 0x%lx\n",*/
        /*bp_location);*/
     }
    }
    else
    {
     printk("ETHER: could not read IDT entry\n");
    }
    
   }
   ether_disable_stepping(v->domain);
   ether_bp_mark_np(v, ether_bp_get_known_gva(v),
    1, 1);

  }
  else if(match_type == ETHER_BP_NO_MATCH)
  {
   ether_disable_stepping(v->domain);
   /* mark page NP again */
   ether_bp_mark_np(v, ether_bp_get_known_gva(v),
    1, 1);
  }
 }
 
}

Reference

XEN internal
http://www.docin.com/p-334444719.html
http://wiki.xen.org/wiki/Mini-OS-DevNotes

ETHER webpage
http://ether.gtisc.gatech.edu/source.html#patching_xen
http://www.offensivecomputing.net/?q=node/1575
https://groups.google.com/forum/?fromgroups=#!topic/ether-devel/Us47vyfwnZE
http://mether.googlecode.com/svn/trunk/ether/vmx.c

XEN VMEXIT HANDLER
http://www.cnblogs.com/superymk/archive/2010/02/02/1661686.html
http://old-list-archives.xen.org/archives/html/xen-devel/2010-07/msg01675.html
http://lkml.indiana.edu/hypermail/linux/kernel/1205.0/02778.html

XEN Single Step Trap
http://comments.gmane.org/gmane.comp.emulators.xen.devel/113088

XEN Debugger
http://www.xen.org/files/xensummit_intel09/xen-debugging.pdf

Research Paper
XenLR: Xen-based Logging for Deterministic Replay*
http://grid.hust.edu.cn/hkliu/index_files/XenLR%20Xen-based%20Logging%20for%20Deterministic%20Replay.pdf
Deterministic Replay for Xen
http://www.cs.ubc.ca/~sara88/538wslides.pdf

Improving VMM based IPS for real-time
snapshot and nullification of buffer overflow
exploitation
http://homepage2.nifty.com/way_to_hack/pdfs/jwis06RuoAndo.pdf

2012年9月27日 星期四

Xen Paravirtualization

This article is based on “Xen and the Art of Virtualization,” from SOSP'03. It's the first paper for paravirtualization.

Virtual Machine Interface

CPU Privilege Level

There are four privilege level in x86 architecture, but most of OSes use only two privilege level. Therefore we can modify OSes to run in ring 1 and preserve ring 0 for Xen hypervisor.  So that privilege instruction will trap to hypervisor for updating and validating.

Exception

Guest OSes can register exception handler table to Xen Hypervisor . If the handler's code segment is not run in ring 0,  Xen create a copy of exception stack frame on guest OS then transfer control to appropriate handler.
Due to observe that system call is one of most frequently happened exception, improving system call's performance can largely effect overall system.To improve system call performance, Xen can check if any code segment of handler is in ring 0 when guest register exception handler. If there are no code segment in ring 0, guest OSes can directly execute the system call handler.

Memory Management

There are two TLB mechanism apply to Xen, that is software-managed TLB and tagged TLB. With  software-managed TLB , Xen can manage TLB directly. Tagged TLB associate each TLB entry with an address-specific identifier so that hypervisor and each guest can maintain their TLB in the same time.
There two principal in Xen's memory management. First , guest is response for allocating hardware page table. Second, Xen located in first 64 MB of every address space.

Device I/O

Different to other full virtualization system, which emulate each device I/O, Xen use an device abstract for device. Every device I/O will be transfer from it's domain to hypervisor by a shared-memory, asynchronous buffer- descriptor rings. In additional, Xen use event-delivery mechanism send back notification to each domain.

Mechanism Design

Control Transfer

Hypercall

To perform privilege instruction, domain U will trigger a software trap and send a hypercal to make Xen perform corresponding action.   

2012年9月19日 星期三

XEN Basic

Xen Virtualization Introduction

Virtualization is one of most important technique in nowaday computer system.With virtualization mechanism , services such as cloud computing, application mobility and co-location facility can be implement.

Xen is the virtual machine monitor that first proposed in SOSP'03 by University of Cambridge. Xen is aim to provide high performance resource management. In the other hand , Xen hypervisor must isolate each virtual machine from others.Finally Xen must support wide range of  heterogeneity operating system.

http://www.cl.cam.ac.uk/research/srg/netos/papers/2003-xensosp.pdf

Virtualization type

In 2003 , Xen was first proposed with paravirtualization architecture. Just after Intel proposed VT-x in 2005 , Xen release version 3.04 which support hvm client.  Figure 1 show both two type's architecture. 
Figure 1 : Xen Architecture

Paravirtualization 

Compare to full virtualization used by VMware's ESX server which not need to modify guest OSes, Xen employ paravirtualization that need to make some minor change to guest OSes. After modification, Xen can offer the same abstraction between virtual machine and underlying hardware ,so that performance can be improved.   

Hardware-assisted Virtualization

After VT-x published, consistent view between sensitive instruction and privilege instruction let full virtualization easily.That is , all the sensitive instruction execute in guest will cause a trap to VMM. With the power of VT-x, Xen are modify to support HVM which has no need to modify guest OSes.  Latter in 2006, "Extending Xen with Intel Virtualization Technology" was published in Intel Technology Journal .This article states changes for Xen to support HVM.

Xen Basic installation

Reference

  1. “Extending Xen* with Intel® Virtualization Technology,” Intel Technology Journal vol. 10, no. 03. 2006.
  2. P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield, “Xen and the Art of Virtualization Categories and Subject Descriptors,” SOSP'03.
  3. Xen official website, http://www.xen.org/download/index_3.4.4.html
  4. WikiPedia ,  http://en.wikipedia.org/wiki/Xen

2012年8月28日 星期二

A New Attack Vector : Attack from VMM

With growth of cloud service , virtual machine become widely deployed. Nowadays, security issue was most   concern when employ cloud service. Recently, Symantec has announced malware analysis report about Crisis. The most interesting thing is that Crisis can propagate though VMware, and this can be a good example of security issue of cloud service.

The only function demo by Crisis is copy it self into VM by VMware player tool. However with power of VMI technique proposed by many academic work, Mlaware can do almost everything from stealing information, killing Anti-Virus to invoking new process outside the VM. Due to this "out-of-box" character, system inside VM has no direct way to detect this kind of attack.

To raise this kind of attack, hacker should first get control of VMM. This can be done by misconfiguration of    VM server, by insider attack, or some vulnerability of VM system(like vulnerability in Xen driver). Although attack to VM server is not an easy job, it still introduce a new attack vector that worthy to research in the future.       

[1]  Symantec Crisis Analysis Report

2012年8月23日 星期四

Introduction Virtualization in ARM platform

With explosion growth of mobile device, profits by attack mobile device also increase in an incredible rate. In some aspect, mobile combine to user even more close. Due to those reason, mobile malware appear exponentially. Especially for android malware due to it's widely used and open architecture. Many recent report also show that android malware increase exponentially, like Dissecting Android Malware: Characterization and Evolution in S&P'12 and F-secure Mobile Threat Report.

To address rapidly raise of mobile , both static and dynamic approach have been proposed. However static analysis suffer from code obfuscation and packed. In additional, static analysis will fail to reveal dynamic behavior include dynamic loading. Therefore dynamic analysis become standard and future trend to analysis android malware.

Although dynamic analysis can overcome code obfuscation and dynamic loading, dynamic analysis also has some shortcoming, like code coverage. In android platform, it lacks robust emulator that can precisely emulate common device like GPS, SMS and phone call, Some of which are most interesting when analysis android malware. However directly use real device to analysis is unavailable due to damage of read device and hard to scale. One reasonable solution is to use virtualization technique, however there are no stable virtualiazation platform in arm due to property of ARM system which not support virtualization.

Following the trend of virtualization, Sangsong proposed XEN/ARM and Columbia University also proposed KVM/ARM in 2010. However both solution lack of hardware support and have appendant memory and CPU overhead. In SOSP'11, Columbia University Department of Computer Science announce Cells project, which is the very first work about OS virtualization in ARM. Cells can leverage device that already support by OS without port every device. In Taiwan , SS Lab in NTHU also research in virtualization in ARM.Those research expose a new possibility for android malware analysis which employs real device with virtualization, so that we can reuse and reconstruct clean environment for analysis.   

2012年8月14日 星期二

S&P'12 : ReDeBug: Finding Unpatched Code Clones in Entire OS Distributions

To deal with unpatched code clones in scale of OS-distribution, Jiyong Jang, Abeer Agrawal, and David Brumley from Carnegie Mellon University published "ReDeBug: Finding Unpatched Code Clones in Entire OS Distributions" in S&'P12, in which paper they proposed a system that can find unpatched code clones in OS distribution.

Due to the complexity of OS, there are always bugs inside whole system. Nowadays, patch is the standard methodology to update OS and fix bugs discovered. However there are still bugs produced by clone original buggy code in different sub-system, those bugs has the same attribute to original bug but hard to discover.

Most previous work like MOSS, CCFinder are focus on detection all code clone in system, which is limit by code scale. Many of them are language-dependent which is not suitable for OS ,which is multi-language environment.

In addition to find more unpatched buggy clone code, this paper try to answer following question.

  1. how much (potentially) vulnerable code can an attacker identify when a patch is released
  2. how responsive is the new version of an OS to known security vulnerabilities
  3. how many persisting unpatched code clones  
Due to the huge scale of OS, ReDeBug system proposed must has flexible scalability, Language agnostic, and has Lower false detection rate. ReDeBug
  The flowchart above describe the progress of ReDebug.

  • Pre-process the source
    1. Performs normalization and tokenization
    2. Moves an n-length window over the token stream. For each window, the resulting n-tokens are hashed into a Bloom filte
    3. Stores the Bloom filter for each source file in a raw data format
  • Check for unpatched code copies
    1. Extracts the original code snippet and the c tokens of context information from the pre-patch source
    2. Normalizes and tokenizes the extracted original buggy code snippets
    3. Hashes the n-token window into a set of hashes
    4. Bloom filter set membership test
  • Post-process the reported clones
    1. Performs an exact-matching test
    2. Excludes dead code
    3. reports only non-dead code to the user

2012年8月13日 星期一

S&P'12 : A Framework to Eliminate Backdoors from Response-Computable Authentication

This paper "A Framework to Eliminate Backdoors from Response-Computable Authentication" is published in S&P'12.The authors are Shuaifu Dai, Tao Wei, Chao Zhang, Tielei Wang, Yu Ding, Zhenkai Liang, Wei Zou from Peking University, University of California, Georgia Institute of Technology School of Computing, and National University of Singapore.

Standard authentication mechanism can be divide into two type. In first type use challenge and response mechanism  and direct compare user response and respected response .This mechanism is widely employed in security system. For example, simple password checking, RC4. Second type feed user response to some authentication  mechanism to check if authentication success. This paper focus on eliminate these backdoor based on previous authentication type, response-computable authentication (RCA).
//how about move authentication type to type 2.

To gain the control of system and against authentication mechanism, it is common for hacker to plaint backdoor into system. For examples VSFTPD 2.3.4 Backdoor in 2011, Back Door in Commercial Shopping Cart. Typically, backdoor can be classify to three types. Adversary model of backdoor is described following. The attacker has chance to modify develop progress but cannot interfere deployment environment. For examples, attacker may modify  source code/binary directly, Thompson’s compiler backdoor[1], design to use weak cryptography algorithms. In this paper's 3 assumptions, 1) attacker cannot intercept code review and testing process.2) operating system is trusted. 3) password database is  trusted.

Backdoor of RCA can be classify to two type, type T1 and type T2. In type T1, bypass response comparison, backdoor bypass comparison between user response and respected response according to user input(U-trigger backdoor), global states(G-trigger backdoor) and internal states(I-trigger backdoor). Type T2 backdoor, controlling computation of expected response, can furthermore divide to two type, type T2a and type T2b. Type T2a backdoor's response computation depends on information other than challenge and password. Type 2b is response computation collision-based backdoor.

To address those backdoor, this paper propose a new RCA framework.
This framework eliminate backdoor by following steps.
  1. Explicit response comparison, this step divide verification process into response computation and response comparison. And ensure that only task response comparison do is comparing user response and respect response. This step can eliminate T1 backdoor.
  2. Function purification, this step ensure the only two factor involve in response computation is challenge and password. To make response computation a pure function(that is a function without side effects and deterministic), NaPu components employ a function level sandbox with global state isolation and iternel state reset. After this step T2a backdoors are eliminated.
  3. Backdoor usability testing, this step use collision testing to find out high collision algorithms and eliminated T2b backdoors.



  1. K. Thompson. Reflections on trusting trust. Communi- cations of the ACM, 27(8):761–763, 1984.

S&P'12 : Safe Loading - A Foundation for Secure Execution of Untrusted Programs

"Safe Loading - A Foundation for Secure Execution of Untrusted Programs" is the paper publish in S&P'12. Paper authors are Mathias Payer,Tobias Hartmann and Thomas R. Gross ,from ETH Zurich, Switzerland ETH.

There are many sanbox system employ BT(binary translation) to instrument application's system call. Libdetox, Vx32, Strata all belong to this type. To make decision if the program can be executed, research about policy-based system call authorization have been published. Moreover , full system virtualization, system call interposition also can isolate application.

This paper proposes a system to solve two problem that current SFI(software-based fault isolation) frameworks have. First is that sanbox can be attacked through dynamic loader.The second is that application inside sanbox must have privilege to map code into memory.

First problem presents due to complexity of loader. Current standard loader employ many functionality like debugging and  call tracing. Exploiting bug of loader , privilege escape can be achieve with SUID program.  
Secondary, the standard loader is responsible to map code include BT itself to memory which leaks information about BT. In addition, sanbox has no information about executable and data layout in memory.

In order to solve these two problems , this paper proposed SFI framework that replace standard loader by a lightweight secure loader and move secure loader into sandbox. Sandbox divide application into two domain, sandbox domain(secure loader and sandbox) and application domain. In sandbox domain, it can ensure only checked code loaded. Every applications run in application domain must be examined first and indirect control flow transfer will be checked by sandbox domain.

This framework have following three benefits:
  1. Restricting Privilege Escalation Attack
    The light-weight loader will not suffer from complexity of standard loader.Without feature like debugging, backwards compatibility, secure loader only need to relocate code and thus reduce attack vector.
  2. Protecting All Executed Application Code
    All code run in application domain must use well-define API communicating to sandbox domain which can reduce attacker gathering information about loader.
  3. Opening the Loader Black Box
    With information shared by loader, sandbox can distinguish code region and data region.Therefore sandbox can provide trusted execution. 

 

2012年8月12日 星期日

HIT2012 Wargame Writeup : Binary 7

This is Binary 1 writeup in HITCON 2012. Binary1 is the easiest binary problem. This problem give an executable and make you read the key.
It is easy to use IDA pro to inspect program flow which create 10 thread and write something to file "key.txt". So it is easy to guess that content wrote in "key.txt" is the answer.
Flow of t100.exe
There are decompile code that each thread.
Those threads sleep some times of a random number then print some characters to file.But without give rand function a seed, all random number produced in each thread is the same.So we can easily sort the characters in each thread by there sleep and get the key.

2012年8月10日 星期五

Hook CreateFile by pydbg


For malware analysis , file access is an important factor to understand what malware do. Therefore in this article, I write a small program that can hook windows createfile API.

TOOL
 I use pydbg to develop this program. pydbg is an subproject of paimei which is a well-known reverse engineering tool.
It is not easy to install pydbg. During installing pydbg, I have encountered following error, and there are some articles solve those problems.
1.      pydasm not found
        Because pydbg need a decompiler, so we need to install pydasm first. Pydasm source can be found here. https://code.google.com/p/libdasm/. Then remove pydasm.pyd in pydbg source.

2.      unable to find vcvarsall.bat
This is due to lower version of VS compiler. We can solve this problem by install higher version of VS or use mingw instead.
3.  gcc: error: unrecognized command line option '-mno-cygwin'
   Option '-mno-cygwin' has been removed in gcc options.So we just remove '-mno-cygwin' in ‘distutils\cygwinccompiler.py’


program review

Due to dynamic link of createfile API, we cannot resolve address of createfile at program start. Therefore we need to hook createfile API once kernel32.dll loaded.
We write a call back function load_dll () which is triggered when dll load. And we use dbg.set_callback(LOAD_DLL_DEBUG_EVENT, load_dll) to register callback of DLL loading. In function load_dll (), we should check if kernel32.dll was loaded and hook createfile API(CreateFileW) .

file_hook.py

from pydbg import *
from pydbg.defines import *

import utils
import sys
import os
from ctypes import *

is_hook = 0

def FileCreateHook( dbg, args ):
    buffer  = ""
    offset  = 0
    while 1:
        byte = dbg.read_process_memory( args[0] + offset, 2 )
        if not ( ord(byte[0])==0 and ord(byte[1])==0) :
            buffer  += byte
            offset  += 2
            continue
        else:
            break
    print unicode(buffer,"utf-16")
    return DBG_CONTINUE

########################################################################################################################
def load_dll (pydbg):
    last_dll = pydbg.system_dlls[-1]
    print "loading:%s into:%08x size:%d" % (last_dll.name, last_dll.base, last_dll.size)
    global is_hook
    if is_hook==0 :
        
        global hooks   
        hooks = utils.hook_container()
        hook_address  = pydbg.func_resolve_debuggee("kernel32.dll","CreateFileW")
        print hook_address
        if hook_address:
            res = hooks.add( pydbg, hook_address, 7, FileCreateHook, None)
            is_hook =1
            print res
            print "[*] CreateFileW hooked at: 0x%08x" % hook_address
        else:
            print "[*] Error: Couldn't resolve hook address."
    return DBG_CONTINUE

dbg = pydbg()
dbg.set_callback(LOAD_DLL_DEBUG_EVENT, load_dll)
dbg.load(sys.argv[1])

is_hook =0
hooks=None

dbg.debug_event_loop()


reference

2012年8月6日 星期一

Malware Analysis : Trojan:AutoIt/Ransom.F

This malware has free sample and analysis report in malware.lu. So I try to analysis this sample as practice.
When I am analyzing this  sample , it had detection rate 14/40 at VirusTotal
This malware come with icon as following image , which give us hint that this malware is compiled by AutoIt :
After this sample execution , it will connect to 95.163.104.88 which website was already removed.And this network activity can be cached by our tool. So we can observe that it connect to 95.163.104.88/spielberg/start.php.
Sometimes there is an pop-up windows during execution :

 We can also observe it change some file in following image:
This malware are packed by UPX.  We can easily unpacked it and get origin executable.
Then we use exe2aut to decompile the sample , and retrieve AutoIt scipt.
The most interesting part is at end of script , it install some registry to trigger itself after booting.But this behavior is not detect by our tool. Then it check if explore.exe and taskmgr.exe existed to ensure it's GUI in top of windows.

This sample can not run by both anubis and cwsanbox.

2012年8月2日 星期四

WDK Minifilter Driver

In order to develop a driver for lab project , I try to review code in WDK source. After a very short view , I found there are some example code which are worthy to read.For example, In source code of Minifilter Driver(scanner.c), the author state that "This filter scans the data in a file before allowing an open to proceed.  This is similar to what virus checkers do."

Minifilter can ....

To use Minifilter , first we need to construct a FLT_REGISTRATION  structure.Here is examples in WDK.


const FLT_REGISTRATION FilterRegistration = {
    sizeof( FLT_REGISTRATION ),         //  Size
    FLT_REGISTRATION_VERSION,           //  Version
    0,                                  //  Flags
    ContextRegistration,                //  Context Registration.
    Callbacks,                          //  Operation callbacks
    ScannerUnload,                      //  FilterUnload
    ScannerInstanceSetup,               //  InstanceSetup
    ScannerQueryTeardown,               //  InstanceQueryTeardown
    NULL,                               //  InstanceTeardownStart
    NULL,                               //  InstanceTeardownComplete
    NULL,                               //  GenerateFileName
    NULL,                               //  GenerateDestinationFileName
    NULL                                //  NormalizeNameComponent
};


Third member of FLT_REGISTRATION  is an FLT_CONTEXT_REGISTRATION which define context type. And Callbacks is an FLT_OPERATION_REGISTRATION structure to register call back operator.Following is examples of this two structure.


const FLT_CONTEXT_REGISTRATION ContextRegistration[] = {
    { FLT_STREAMHANDLE_CONTEXT,
      0,
      NULL,
      sizeof(SCANNER_STREAM_HANDLE_CONTEXT),
      'chBS' },

    { FLT_CONTEXT_END }
};
[structure explain]

const FLT_OPERATION_REGISTRATION Callbacks[] = {

    { IRP_MJ_CREATE,
      0,
      ScannerPreCreate,
      ScannerPostCreate},

    { IRP_MJ_CLEANUP,
      0,
      ScannerPreCleanup,
      NULL},

    { IRP_MJ_WRITE,
      0,
      ScannerPreWrite,
      NULL},

    { IRP_MJ_OPERATION_END}
};
[structure explain]

The most interesting part is ScannerPostCreate function.Then we move to ScannerPostCreate function and take a look.
This function check file extension then call ScannerpScanFileInUserMode function. If the return value safe, then we leave it for write check.Otherwise , use FltCancelFileOpen to cancel file open operator.

In function ScannerpScanFileInUserMode ,  it calls FltReadFile function to read file content to buffer then pass it to user space by FltSendMessage.And user space program is responsible for scanning the content.

[How to communicate between user space and kernel space]
 

HIT2012 Wargame Writeup : Binary 1

This writeup is about problem Binary 1 in HITCON 2012.
There is the description about  Binary 1:
Kenny 意外地從探險家手上獲得了一張海外的藏寶圖,但看起來似乎失去了下半部分,你能幫助他找到寶藏嗎??
And there is a kenny.zip  provided , which contain a Keyexe.jpge file inside.

We can observe that Keyexe.jpge can open by double-click , but can not open by image editor such as paint.So we can infer that Keyeze.jpge is not a jpge file but an exe file , which use windows reverse file name method to hind itself.[資料補充~~] 

After change the file name to key.exe, we can open it by debugger(because origin filename include invalid character).

We can find out that jpge file showed is 2.jpge in temp directory. After short analyse , we can find out there are 3 files create while execution.Those files are 1.jpge,2.jpge and SYS. 1.jpge is an image file contain "ioctl: 6666" message.SYS is device driver. Now we can guess next step is to register this device and send 6666 message to it through IOCTL.

By using IDA or ollydbg , we can find device name is Kenny.Then we can write a small program to send message to driver.Then driver will response "Boracay.exe" in debug message. Finally we change the original executable's  filename to Boracay.exe and execute it.The key "hey it nice" will displayed in DebugView.
[補充圖片]


ps. thanks for kost0911's sharing .He's article help me to find out device name , so I can complete this problem.
http://kost0911.pixnet.net/blog/post/91590907  

HIT2012 Wargame Writeup : Mobile 1

There was a new catalog - Mobile added in this year HIT wargame. Although there are two problem in this  catalog , it can point out that mobile security is future trend in security.
Mobile 1 is an easy problem , there are only two things need to do.
First , unzip the apk file. Then open files one by one , then we can find some string in META-INF/CERT.RSA ."What is the guy's nickname in base64 format?" .So we can find the guy's nickname in article and encode it as base64 to get the key.
Reference to wiki , CERT.RSA is the certificate of the application

   

2012年7月28日 星期六

Introduction to this blog

This blog is used to record some research summary about security.
The content may include wargame writeup, paper reading , and security technology/issue